Merge pull request #92 from dvershinin/pr-37-fixed

plugin: detect low keepalive_requests (fixed for crossplane)

Author: dvershinin

docs/en/plugins/low_keepalive_requests.md

@@ -0,0 +1,35 @@
+# Low `keepalive_requests` value
+
+The `keepalive_requests` directive sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed.
+
+## Why this matters
+
+Prior to nginx 1.19.10, the default value was 100. This was raised to 1000 because low values can cause problems:
+
+- **HTTP/2 multiplexing**: Modern browsers open fewer connections but send many requests over each one. A low `keepalive_requests` value forces frequent connection resets.
+- **Client disconnections**: Some clients (especially when using HTTP/2 with proxies like Burp or mitmproxy) may experience failed requests when connections are closed prematurely.
+- **Performance overhead**: Establishing new connections has overhead (TCP handshake, TLS negotiation). Keeping connections alive longer improves performance.
+
+## Bad example
+
+```nginx
+keepalive_requests 100;
+```
+
+This forces connection closure after only 100 requests, which can cause issues with HTTP/2 clients.
+
+## Good example
+
+```nginx
+keepalive_requests 1000;
+```
+
+Or simply omit the directive to use nginx's default (1000 since nginx 1.19.10).
+
+## References
+
+- [nginx documentation: keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests)
+- [nginx ticket #2155: Increase default keepalive_requests](https://trac.nginx.org/nginx/ticket/2155)
+
+--8<-- "en/snippets/nginx-extras-cta.md"
+

gixy/plugins/low_keepalive_requests.py

@@ -0,0 +1,32 @@
+"""Module for low_keepalive_requests plugin."""
+
+import gixy
+from gixy.plugins.plugin import Plugin
+
+
+class low_keepalive_requests(Plugin):
+    """
+    Insecure example:
+        keepalive_requests 100;
+    """
+
+    summary = "The keepalive_requests directive should be at least 1000."
+    severity = gixy.severity.LOW
+    description = "The keepalive_requests directive should be at least 1000. Any value lower than this may result in client disconnections."
+    help_url = "https://gixy.getpagespeed.com/en/plugins/low_keepalive_requests/"
+    directives = ["keepalive_requests"]
+
+    def audit(self, directive):
+        if not directive.args:
+            return
+        try:
+            value = int(directive.args[0])
+        except (ValueError, TypeError, IndexError):
+            return
+        if value < 1000:
+            self.add_issue(
+                severity=self.severity,
+                directive=[directive],
+                reason="The keepalive_requests directive should be at least 1000.",
+            )
+

mkdocs.yml

@@ -51,6 +51,7 @@ nav:
     - plugins/unanchored_regex.md
     - plugins/regex_redos.md
     - plugins/worker_rlimit_nofile_vs_connections.md
+    - plugins/low_keepalive_requests.md
   - 'NGINX Extras RPMs': 'https://nginx-extras.getpagespeed.com/'
   - 'Blog': 'https://www.getpagespeed.com/posts'
 markdown_extensions:

tests/plugins/simply/low_keepalive_requests/low_keepalive_requests.conf

@@ -0,0 +1,2 @@
+keepalive_requests 100;
+

tests/plugins/simply/low_keepalive_requests/low_keepalive_requests_fp.conf

@@ -0,0 +1,2 @@
+keepalive_requests 1000;
+